In the early months of 2012, consulting firm PwC joined CIO magazine and CSO magazine to conduct a worldwide survey on the global state of information security. More than 9,300 CEOs, CFOs, CISOs, CIOs, CSOs, vice presidents and directors of IT and information security from 128 countries took part in the survey. The full results are documented in the report Changing the game – Key findings from The Global State of Information Security Survey 2013.
With so many top executives from organizations all over the world participating in the survey, PwC was able to see a very broad spectrum of where companies are in terms of their IT security strategies and programs. PwC concluded that just 8% of the participants responded to the questions in a way that met the consulting firm’s criteria for leadership in the field. PwC calls the 8% “an elite group with the vision, determination, skills and support to create the most effective security organizations.”
This begs the question, “What makes them so special?” What is it about these organizations that allow them to have such effective security programs that they are identified as among the best in the world? The PwC report outlines the traits these organizations exhibit that make them leaders in the way they secure their IT environments:
Leaders align security with the overall business strategy.
It costs money to implement and maintain an organization-wide IT security strategy, and that means the top security executive has to justify his budget and resources. Security leaders understand that the best way to justify a budget is to tie it directly to how it supports the overall organization’s business strategy. Executives come prepared with measurements of financial losses that would result from a security incident. Moreover, they are less likely to cut security spending and more likely to increase it.
Leaders take an integrated approach to security.
Many organizations tend to address security concerns one point at a time. This can lead to a series of siloed solutions that may provide some overlap but also leave some gaps. What’s worse, the products may not work well together, making it difficult to correlate incidents and spot trends that indicate security issues. Security leaders take a more holistic approach. According to the report, “Organizations that are true leaders in information security are much more likely than other companies to employ integrated approaches and frameworks that combine compliance, privacy and data usage, security, and identity theft.”
Leaders appoint a responsible executive or two.
Who’s in charge here? Businesses that are recognized for having a highly effective security organization are much more likely to employ a Chief Information Security Officer (CISO) and a Chief Security Officer (CSO) as compared to the overall survey population. This shows that security is highly important to the organization and not just something that is bolted onto projects and systems as an after-thought.
Leaders get a jump-start on security strategies for new technologies.
When it comes to securing new technologies like mobile devices and the cloud, leaders jump right in to develop a security strategy and deploy solutions. This gives the organizations an early adopter position in using those technologies – safely and securely – to attain a competitive advantage.
Leaders are aware of what’s going on within their organization.
According to the report, “leaders are far more aware of what’s going on in their organizations than the average respondent.” This just stands to reason when you consider that leaders are more likely to have a responsible executive (the CISO or CSO); they view the organization’s security needs holistically; and they tie the security budget to the company’s overall business strategy. You cannot do these latter activities and be ignorant of what’s happening across the organization.
You can improve your information security performance
The report offers advice for organizations that want to strengthen their security practice:
- Implement a comprehensive risk-assessment strategy and align security investments with identified risks
- Understand their organization’s information, who wants it, and what tactics adversaries might use to get it
- Understand that information security requirements – and, indeed, overall strategies for doing business – have reached a turning point
- Embrace a new way of thinking in which information security is both a means to protect data and an opportunity to create value to the business